HITRUST Redesigns CSF in v11 to Increase Efficiencies and Cyber Threat-Adaptive Assurances

HITRUST, the information risk management, standards, and certification body, has released HITRUST CSF version 11 to improve mitigations against evolving cyber threats, broaden the coverage of authoritative sources, and streamline the journey to higher levels of assurance.

"There is no question that frameworks need to stay relevant with current and emerging threats so organizations can conduct assessments as efficiently as possible and provide practical, yet meaningful, assurances to stakeholders," said Andrew Russell, VP of Standards, HITRUST. "The investments we've made in our AI-based standards development platform have dramatically improved our ability to assess threat-adaptive mitigations, add authoritative sources, and reduce redundancies, allowing organizations to achieve the same level of assurance with less effort."

The CSF v11 demonstrates HITRUST's commitment to continuous improvement:

Protects against new and emerging threats: The CSF v11 enables the entire HITRUST assessment portfolio to leverage cyber threat-adaptive controls that are appropriate for each level of assurance.

Reduces effort toward HITRUST Certification through greater efficiency: Improved control mappings and precision of specifications afforded through CSF v11 enable reduced level of effort towards a HITRUST certification.  For example, the level of effort to achieve and maintain HITRUST Implemented, 1-year (i1) Certification over two years can be reduced by up to 45%.

Enables a traversable assessment journey through an expanded and aligned portfolio: Enables a single framework in the HITRUST CSF to provide a single approach that covers broad assurance needs for different risk levels and compliance requirements with greater assurance reliability than other assessment options. All HITRUST assessments are now subsets (or supersets) of each other, which allows organizations to reuse the work in lower-level HITRUST assessments to progressively achieve higher assurances by sharing common control requirements and inheritance.

In addition, HITRUST CSF v11 is integrated across Microsoft Azure, Dynamics 365, Microsoft 365, and Power Platform. Microsoft, HITRUST, and an ecosystem of partners and healthcare organizations are also collaborating on advanced new capabilities to improve clarity on compliance requirements and shared responsibilities both across the U.S. and worldwide.

"The HITRUST inheritance program offers tremendous value to customers who build on our platform and can inherit our controls in their HITRUST assessment," said David Houlding, Director, Global Healthcare Business Strategy, Microsoft. "The expanded and traversable HITRUST assessment portfolio provides new flexibility enabling more organizations to leverage Microsoft's HITRUST assessments through the shared responsibilities and inheritance program to reduce the scope, cost, and time to achieve and maintain their own HITRUST compliance."

Expands authoritative sources: With CSF v11, HITRUST has added two new authoritative sources, NIST SP 800-53, Rev 5, and Health Industry Cybersecurity Practices (HICP) standards.

AI-Based Standards Development Toolkit: HITRUST has developed AI-based standards development capabilities to aid our assurance experts in mapping and maintaining authoritative sources. CSF v11 is the first version developed with this enhanced function. It will reduce mapping and maintenance efforts by up to 70% while improving the quality of mappings to authoritative sources and allowing for more authoritative sources in future releases.

"Security requirements are never complete, and a framework that is adaptive and responsive to security and compliance stakeholders is sorely needed," said Robert Booker, HITRUST Chief Strategy Officer. "We restlessly evaluate and update the CSF in response to new cyber security, assurance, and compliance requirements."

Organizations that downloaded a previous version of HITRUST CSF will be notified of the latest version.

Meditology is an authorized HITRUST external assessor organization and we have a dedicated team of HITRUST experts available to discuss your specific certification needs.

Contact us if you have any questions about healthcare security certification options and approaches.

Meditology: Leaders in Healthcare Cybersecurity and HITRUST Services

What Our Clients Are Saying

"I rate the value of working with Meditology on our HITRUST Certification as “Exceptional” - 5 out of 5 rating. 2020 was a difficult year but we would not have gotten the results without working with Meditology as a partner because of the thoroughness, attention to quality, and stick-to-it-iveness. We have a legit HITRUST with no CAPs."

- AVP, Governance Risk & Compliance, National Direct Access Care Network and Wellness Organization

“Meditology saw us all the way through as they always have, we got our cert, they moved staff and timelines around, and they were very flexible in seeing us to the end. We were very happy with the deliverables. And A+ for getting us to the HITRUST Certification. We are satisfied, our Board and Execs are happy."

- Director of Security, Software Development Company

“I felt a strong sense of partnership right from the beginning. Meditology is competent and knowledgeable about who we are and how we are trying to achieve our HITRUST Certification goals, and that’s a big part of success."

- CISO, One of the Nation's Largest Healthcare Payors



Most Recent Posts
Global IT Outage Impacts Healthcare: What Happened? Read More
Why Cybersecurity Checks are a Must Before Acquiring or Merging with Another Hospital Read More
URGENT SECURITY ALERT: MOVEit Vulnerability Identified Read More